Unfamiliar with EU’s GDPR? Here Is How To Align With It!

What exactly the GDPR stands for and who is affected by it?

EU’s GDPR, which is an acronym for The General Data Protection Regulation will at last become compulsory on 25th of May 2018 following a two-year adaptation phase after the initial voting in favor for the regulation by the EU Parliament back in April 2016. The purpose of the GDPR is to guard all EU citizens from privacy and data violations in a drastically growing data-oriented world that is immensely different from the period in which the prior directive was in force. For those unfamiliar with the differences between powers of different legal acts within the EU, an EU regulation —unlike a directive— is a rule that does not require a separate passing of the legislation by states’ governments ergo the EU institutions have the sole sovereignty to enforce it. The GDPR is applicable to organizations within the EU, however it will additionally apply to organizations stationed outside of the EU in the case of them collaborating with or monitoring the behavior of EU data subjects. Additionally, it is applicable to all legal entities processing and keeping the personal data of data subjects stationed within the European Union.

What changes does the GDPR bring to the table?

Even though the crucial concepts of data privacy remain true to the prior Data Protection Directive, plenty of alterations have been taking place in regards to the regulatory policies. Those are as follows:

The most noticeable alteration to the regulatory physiognomy of data privacy derives from the vast jurisdiction of the GDPR, as it is applicable to every legal entity processing the personal data of data subjects with a residence in the European Union, no matter the company’s location. Prior to this, application by territory of the directive was uncertain and alluded to data process ‘in context of an establishment’. This clash of jurisdiction has popped up in numerous important court cases. With that being said, GDPR makes its validity pretty clear – it is applicable to the processing of personal data by controllers and processors in the EU, no matter whether the processing happens or not within EU’s frame.

The GDPR will be valid in regards to the processing of personal data of data subjects within the EU by a controller or processor not stationed in the EU, merely in the cases in relation to offering goods or services to EU residents and the monitoring of behavior that happens in the EU.

Non-EU businesses processing the data of EU residents will be obligated to have a representative in the EU as well.

With the GDPR in force, organizations in violation of it should expect the following:

Fines stretching up to 4% of yearly global turnover or €20 Million if the percentage translated in Euros do not surpass this amount. That number is the maximum fine that can be expected in the case of the most drastic breaches e.g. not obtaining enough customer consent to process data or going against the basic Privacy by Design concepts.

According to article 28, a company can be punished with 2% yearly global turnover for not having their records in check.

Not letting the supervising authority and data subjects know about a violation or not going through with an impact assessment is also punishable 2% of yearly global turnover.

It is crucial to know that these regulations apply to both controllers and processors- which indicate that ‘clouds’ will not be excluded from GDPR implementation.

Which are all the new rights and obligations EU subjects will be introduced to with the GDPR?

The right to be notified when a breach occurs

With the GDPR, breach notification will be obligatory in all member states where a data violation is expected to end up risking the rights and freedoms of individuals. The notifying has to be conducted within 72 hours of initially having become familiar with the violation. On top of that, data processors will be obligated to inform their customers and the controllers, doing so without a delay after initially finding out about a data breach.

The right to have your data obliterated

The Data Erasure or colloquially known as the “right to be forgotten” permits the data subject to have the data controller wipe out this subject’s personal data, stop any additional spreading of the data, and let third parties stop the processing of the data. The demands for erasure, as put in article 17, incorporate the data that is no longer important to the original aims for processing, or data subjects no longer offering their consent. More so, it should be mentioned that this right demands from controllers to compare the subjects’ rights to the public interest in the obtainability of the data when bearing in mind those kinds of demands.

The right for the data to be portable

A fresh feature that the GDPR brings is the data portability right, which is the right for a data subject to get the personal data in regards to them, which they have prior handed out in a ‘commonly use and machine readable format’ and have the right to transfer that data to a different controller.

The concept of privacy by design

Unlike the novel concept of the right for the data to be portable, the privacy by design is a rule that has been on the EU stage for many years now, however it is only now taking part of the legal arsenal through the GDPR. Within its foundation, privacy by design demands the inclusion of data protection from the onset of the designing of systems, instead of an addition. Furthermore, Article 23 demands from controllers to hold and process solely the data utterly obligatory for the conducting of its duties, on top of limiting the reach to personal data to those having to conduct the processing.

The right to skip the Data Protection Officers

Wouldn’t it be lovely if there was a mechanism for controllers to skip the requirement to share their data processing activities with local DPAs and avoid the enormous bureaucratic blockage with the bulk of Member States having unaligned notification demands? With GDPR it will not be obligatory to hand out notifications or registrations to every local DPA of data processing activities, and it will not be a requirement to get a green light for transfers based on the Model Contract Clauses (MCCs). Rather than that, there will be internal record keeping demands and DPO appointment will be obligatory merely for those controllers and processors whose main job is consisted of processing operations which demand constant and systematic monitoring of data subjects on a massive scale or of particular categories of data or data in connection to criminal convictions and violations.

Last —but certainly not least— how should all those certainly impacted by GDPR act in preparation for the enforcement?

Further awareness should be raised within the circle of organizational leaders

The securing of executive support for mandatory financial decisions should be reached.

A reviewing of the current privacy and security state of any legal entity should be done

A thorough SWOT analysis in regards to the alignment with the GDPR’s requirements needs to be conducted.

After detecting and eliminating any shortcomings, the implementation of adequate administrative, physical and technological security measures to spot and react to any security violations should come as the last phase.

The whole leading platform of any legal entity should always remain vigilant for any later changes within the regulatory policies.